Machine 2 Machine authentication

I am currently using KC to secure my FE application / API.
I would like to use it to secure my API in a context of server to server / machine to machine.
If I understand correctly I should use Client Credentials flow, but creating a client for each new customer doesn’t make sense (to me), is it the right way to go? (why shouldn’t I create a user with some kind of Id instead of email and treat a machine as a user?)
if so, there some metadata I am using on a user login level (e.g. attributes) which is needed as part of the authorization this metadata is needed for S2S as well, where should I manage it?

Thanks in advance.

Try machine login (=code it in your favorite programming language) with user credentials and you will see what is a problem. Users login needs to use grant code flow (eventually with PKCE) usually and that needs a browser. Of course you can automate it, but you will end up with unreliable html form parsing, which can be broken anytime you update login template.

That’s a reason why OIDC has client credentials flow. It is designated for machine access.

Of course you may still “hack” it and you can enable direct grant flow, but again it is not a right flow for machine to machine use case.

Thanks a lot for your quick response.
I don’t want to hack it, I want to use it in the right way.
So, back to my question, do I need to define a new client for each customer? meaning if I’ll have 1K customers I will end up with 1K clients within a realm? is it OK?


Nothing stopping you to have only 1 client and then you can share it with 1k customers. But of course that’s not a good security practice. The better option is to have a client for each customer.

I would implement some selfservice on top of Keycloak admin rest api, because managing of 1k clients can be time consuming job, so any authorized customer can manage clients on their own. I can imagine users may have need to have more then one client + client secret can be exposed, so it will be a good idea to have a selfservice for client management. Of course it depends on your use case.

so in case I want to manage some attributes (like customer id), where do you advice me to manage it, on my own DB or there’s KC support for that (like user attributes)?

Clients also do have attributes, like users have, but they are not exposed/manageable through the admin UI, only via the API.

There were some (at least two I know) Jira issues and PRs about that in the past, but they’ve been rejected by the team. Unfortunately.

Ho… good to know, 10X a lot.

One more thing about that, so I mange to add attributes to a client via the REST API, but how can I make it to be embedded inside the JWT token after authentication?

I found other approach to deal with that, using Hardcoded claim mapper, is it a valid solution?